Re: [DNG] why is polkit needed? dropin replacement

[tom]

On Mon, 24 Feb 2020 13:46:46 +0100
Didier Kryn  wrote:

> Le 24/02/2020 à 10:44, aitor a écrit :
> > Hi Didier,
> >
> > En 24 de febrero de 2020 10:01:33 Didier Kryn 
> > escribió:
> >
> >> Le 24/02/2020 à 01:16, Aitor a écrit :
> >>>
> >>> Hi Tito,
> >>>
> >>> On 23/2/20 17:02, Tito via Dng wrote:
>  Why use 2 binaries rather than one, more programs, more code,
>  more communication in between them equals to more attack surface.
>  I would stay with just one suid binary, more so if you want to
>  go the su-only route.
> >>> I'll answer to this question in more detail: the requeriment of
> >>> suid privilegies implies an additional (non GUI) binary due to
> >>> the fact that the usage of any GTK suid binary is impossible.
> >>> Read here:
> >>>
> >>> http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html
> >>     Does it mean that synaptic works that way with droping
> >> priviledges in the GUI?
> >>
> >>     Didier
> >
> > Synaptic is run as root via sudo/su. There are no suid privilegies
> 
>      Hi Aitor.
> 
>      Sure, but it is running a GUI with root priviledge. I thought
> this was the danger and I understood this was forbidden in GTK+.
> 
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

It's not a big deal as long as it's not some crazy bloated mess like a
web browser or something.

-- 
 _ 
/ This is the story of the bee Whose sex  \
| is very hard to see |
| |
| You cannot tell the he from the she But |
| she can tell, and so can he |
| |
| The little bee is never still She has   |
| no time to take the pill|
| |
| And that is why, in times like these|
\ There are so many sons of bees. /
 - 
\
 \
   /\   /\   
  //\\_//\\ 
  \_ _//   /
   / * * \/^^^]
   \_\O/_/[   ]
/   \_[   /
\ \_  /  /
 [ [ /  \/ _/
_[ [ \  /_/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Didier Kryn]

Le 24/02/2020 à 10:44, aitor a écrit :

Hi Didier,

En 24 de febrero de 2020 10:01:33 Didier Kryn  escribió:


Le 24/02/2020 à 01:16, Aitor a écrit :


Hi Tito,

On 23/2/20 17:02, Tito via Dng wrote:

Why use 2 binaries rather than one, more programs, more code, more
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the
su-only route.

I'll answer to this question in more detail: the requeriment of suid
privilegies implies an additional (non GUI) binary due to the fact
that the usage of any GTK suid binary is impossible.
Read here:

http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html

    Does it mean that synaptic works that way with droping priviledges
in the GUI?

    Didier


Synaptic is run as root via sudo/su. There are no suid privilegies


    Hi Aitor.

    Sure, but it is running a GUI with root priviledge. I thought this 
was the danger and I understood this was forbidden in GTK+.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[aitor]

Hi Didier,

En 24 de febrero de 2020 10:01:33 Didier Kryn  escribió:


Le 24/02/2020 à 01:16, Aitor a écrit :


Hi Tito,

On 23/2/20 17:02, Tito via Dng wrote:

Why use 2 binaries rather than one, more programs, more code, more
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the
su-only route.

I'll answer to this question in more detail: the requeriment of suid
privilegies implies an additional (non GUI) binary due to the fact
that the usage of any GTK suid binary is impossible.
Read here:

http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html

Does it mean that synaptic works that way with droping priviledges
in the GUI?

Didier


Synaptic is run as root via sudo/su. There are no suid privilegies.

Cheers,

Aitor.




Enviado con AquaMail para Android
https://www.mobisystems.com/aqua-mail


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Didier Kryn]

Le 24/02/2020 à 01:16, Aitor a écrit :


Hi Tito,

On 23/2/20 17:02, Tito via Dng wrote:
Why use 2 binaries rather than one, more programs, more code, more 
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the 
su-only route.
I'll answer to this question in more detail: the requeriment of suid 
privilegies implies an additional (non GUI) binary due to the fact 
that the usage of any GTK suid binary is impossible.

Read here:

http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html

    Does it mean that synaptic works that way with droping priviledges 
in the GUI?


    Didier


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Didier Kryn]

Le 23/02/2020 à 16:26, Aitor a écrit :

On 23/2/20 16:22, Aitor wrote:
- To have a look at the code of ssh-askpass, suggested by Didier 
Krin, whose dialog frame is useful only for X11 and not for wayland.


Kryn :)

    ssh-askpass is just an example. There is certainly something usable 
in wayland. sudo accepts any helper.


        Didier


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[wirelessduck--- via Dng]


On 2020-02-23 22:10, marc wrote:
> If I understand you correctly, you propose a simple gtk
> program that is setuid (so that it can read /etc/shadow, and
> grant root privileges). The problem is that there is no such
> thing as a simple gtk program. This is not comment limited to
> gtk programs - most graphical toolkits and libraries present
> a pretty large attack surface - they contain large protocol
> interpreters and font rendering engines, flaws in which could 
> then be exploited to give root access without any password 
> whatsoever.

The author of XScreenSaver, Jamie Zawinski, has some FAQ [1] entries and a 
separate page [2] explaining why he never used GTK or other graphical toolkits 
for XScreenSaver development. Perhaps some of those ideas may be relevant to 
this gkexec project?

[1] https://www.jwz.org/xscreensaver/faq.html#toolkits
[2] https://www.jwz.org/xscreensaver/toolkits.html

—Tom

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi,

On 23/2/20 23:10, marc wrote:

You should never send an unencrypted password over a shell or pipe.

So in the case of the former (using the shell, via echo or an
environment variable) you are correct. Those show up in process
listings...

I am not so sure about the second part, the bit about not passing
confidential information down a pipe. I am not aware of a third
party being able to see the content of a pipe. If you are worried
about the invoking user seeing the password, bear in mind that on sane
distributions a normal user can strace the xterm in which one
invokes su or sudo. This is not a recommendation to disable
strace, it is a strong recommendation to run your webbrowser
under a different uid - actually I am surprised that distributions
dont have a wrapper which runs a browser as a different uid
but with a shared gid...


i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 
buttons (cancel, ok)
that way it will be the gtk backend to care about X11 or wayland (i suppose...):

...

Why use 2 binaries rather than one, more programs, more code, more 
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the su-only 
route.

If I understand you correctly, you propose a simple gtk
program that is setuid (so that it can read /etc/shadow, and
grant root privileges). The problem is that there is no such
thing as a simple gtk program. This is not comment limited to
gtk programs - most graphical toolkits and libraries present
a pretty large attack surface - they contain large protocol
interpreters and font rendering engines, flaws in which could
then be exploited to give root access without any password
whatsoever.

So invoking su or sudo via a pipe is probably the way to go
after all. Do note that sudo (or su) might not accept input
from a plain pipe - you might have to allocate a pseudotty
via /dev/pts/ptmx, then fork, exec su or sudo in the child
and in the parent write the password down the filedescriptor...

regards

marc


Thanks for your suggestions, Mark. My first draft is a replacement for 
ssh-askpass.


Here you are the sources:

gnuinos.org/gkexec/gkexec.tar.bz2

The usage is similar to ssh-askpass, that is:

$ SUDO_ASKPASS=./gkexec sudo -A synaptic

I'm aware about several system variables playing a role in this issue, 
and i'm lookint at the code of lxqt-sudo.


See the README file.

Cheers,

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi Tito,

On 23/2/20 17:02, Tito via Dng wrote:
Why use 2 binaries rather than one, more programs, more code, more 
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the 
su-only route.
I'll answer to this question in more detail: the requeriment of suid 
privilegies implies an additional (non GUI) binary due to the fact that 
the usage of any GTK suid binary is impossible.

Read here:

http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html

Cheers,

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Tito via Dng]

On 2/23/20 11:10 PM, marc wrote:

You should never send an unencrypted password over a shell or pipe.


So in the case of the former (using the shell, via echo or an
environment variable) you are correct. Those show up in process
listings...

I am not so sure about the second part, the bit about not passing
confidential information down a pipe. I am not aware of a third
party being able to see the content of a pipe. If you are worried
about the invoking user seeing the password, bear in mind that on sane
distributions a normal user can strace the xterm in which one
invokes su or sudo. This is not a recommendation to disable
strace, it is a strong recommendation to run your webbrowser
under a different uid - actually I am surprised that distributions
dont have a wrapper which runs a browser as a different uid
but with a shared gid...


Hi,
I intended | as a pipe, so doing echo something |.



i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 
buttons (cancel, ok)
that way it will be the gtk backend to care about X11 or wayland (i suppose...):

...

Why use 2 binaries rather than one, more programs, more code, more 
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the su-only 
route.


If I understand you correctly, you propose a simple gtk
program that is setuid (so that it can read /etc/shadow, and
grant root privileges). The problem is that there is no such
thing as a simple gtk program. This is not comment limited to
gtk programs - most graphical toolkits and libraries present
a pretty large attack surface - they contain large protocol
interpreters and font rendering engines, flaws in which could
then be exploited to give root access without any password
whatsoever.


Yes, but after having written part of it, it looked to easy
to be true and I started wondering why nobody did it that
way already and so I figured out the reason myself.
I fully agree.


So invoking su or sudo via a pipe is probably the way to go
after all. Do note that sudo (or su) might not accept input
from a plain pipe - you might have to allocate a pseudotty
via /dev/pts/ptmx, then fork, exec su or sudo in the child
and in the parent write the password down the filedescriptor...

regards

marc


Ciao,
Tito



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[marc]

> >>You should never send an unencrypted password over a shell or pipe.

So in the case of the former (using the shell, via echo or an 
environment variable) you are correct. Those show up in process
listings...

I am not so sure about the second part, the bit about not passing
confidential information down a pipe. I am not aware of a third
party being able to see the content of a pipe. If you are worried
about the invoking user seeing the password, bear in mind that on sane
distributions a normal user can strace the xterm in which one 
invokes su or sudo. This is not a recommendation to disable
strace, it is a strong recommendation to run your webbrowser
under a different uid - actually I am surprised that distributions
dont have a wrapper which runs a browser as a different uid
but with a shared gid...

> i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 
> buttons (cancel, ok)
> that way it will be the gtk backend to care about X11 or wayland (i 
> suppose...):
...
> Why use 2 binaries rather than one, more programs, more code, more 
> communication in between them equals to more attack surface.
> I would stay with just one suid binary, more so if you want to go the su-only 
> route.

If I understand you correctly, you propose a simple gtk
program that is setuid (so that it can read /etc/shadow, and
grant root privileges). The problem is that there is no such
thing as a simple gtk program. This is not comment limited to
gtk programs - most graphical toolkits and libraries present
a pretty large attack surface - they contain large protocol
interpreters and font rendering engines, flaws in which could 
then be exploited to give root access without any password 
whatsoever.

So invoking su or sudo via a pipe is probably the way to go
after all. Do note that sudo (or su) might not accept input
from a plain pipe - you might have to allocate a pseudotty
via /dev/pts/ptmx, then fork, exec su or sudo in the child
and in the parent write the password down the filedescriptor...

regards

marc
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi again Tito,

On 23/2/20 17:02, Tito via Dng wrote:

On 2/23/20 4:22 PM, Aitor wrote:

Hi Tito,

On 23/2/20 14:15, Tito via Dng wrote:

On 2/23/20 1:54 PM, Aitor wrote:

Hi,

On 23/2/20 13:17, Aitor wrote:
The binary won't be suid, but rather it'll receive the root 
password through the mentioned unix socket using internally (sudo 
| su) afterwards.


As simple as that:

system( "echo  | sudo -S ");

I tested my first draft and it works. Do it simple, isn't it?

Aitor.


Hi,

this looks dangerous, isn't the password readable unencrypted in 
e.g. /proc?

You should never send an unencrypted password over a shell or pipe.
Usually the password as soon as it is inputted is encrypted with the 
correct cipher
for the system and the buffer is zeroed, then the encrypted password 
is compared
to what is in /etc/shadow or /etc/password or handled in the way is 
deemed fit.
I suggest you to handle the passwords and the command and args to be 
run in your program

This way:
1) password stays unencrypted for the shortest time
2) you have control and you can vet the env, program and args that 
are run.


Hope this helps.

Ciao,
Tito


Thanks for the info, i know... Some people ripped me to shreds in the 
IRC channel some years ago, when i started working on the backend of 
simple-netaid.


This is only for testing the first part of the project. I have two 
ideas for the second part:


- To have a look at the code of ssh-askpass, suggested by Didier 
Krin, whose dialog frame is useful only for X11 and not for wayland.


Hi,

i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) 
+ 2 buttons (cancel, ok)
that way it will be the gtk backend to care about X11 or wayland (i 
suppose...):


"put into “password mode” using gtk_entry_set_visibility(). In this 
mode, entered text is displayed using
 a “invisible” character. By default, GTK+ picks the best invisible 
character that is available in the current
font, but it can be changed with gtk_entry_set_invisible_char(). Since 
2.16, GTK+ displays a warning when Caps
Lock or input methods might interfere with entering text in a password 
entry.

The warning can be turned off with the “caps-lock-warning” property."

"Note that you probably want to set “input-purpose” to 
GTK_INPUT_PURPOSE_PASSWORD or GTK_INPUT_PURPOSE_PIN
 to inform input methods about the purpose of this entry, in addition 
to setting visibility to FALSE."


On hitting Enter or the OK button this returns a gchar string (typdef 
of char)

that could be fed to:

encrypted = pw_encrypt(plaintext, /*salt:*/ pw_pass, 1);
r = (strcmp(encrypted, pw_pass) == 0);
free(encrypted);
nuke_str(plaintext);
return r;

To see a good example take a look at: busybox/libbb/correct_password.c
This is widely used code and most pitfalls are already handled.


Thanks, i'll have a look at the code. In any case, something like the 
code below would be enough:


setenv("SUDO_ASKPASS", password, 1);
printf("%s\n", password);

The password needs to be printed, otherwise it won't work.

Then, sudo reads the value of the system variable via:

askpass = getenv_unhooked("SUDO_ASKPASS");

and inmediately sudo uses the "unsetenv" fuction in ordeer to reset the 
value. This is exactly how ssh-askpass works.


All that done, the application can be used in the same way suggested by 
Didier, replacing ssh-askpass by our new application.


- To emulate keypress events in C code afterwards, according to the 
received password.


Looks as overcomplex to me but I'm not a guru


Yes, i think so.



On the other hand, what do you think about the suid receiving the 
password through the socket, staying the file descriptor for the 
shortest time? I assume it encrypted.


Why use 2 binaries rather than one, more programs, more code, more 
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the 
su-only route.
After having taken a look at the sudo source code I think it is by far 
more complex than simple su, I personally
would avoid it at all, but this could be added later after having got 
right the simpler su-only case.
I will see if I'm able to cobble toghether a working example code just 
for the fun and to refresh

my C coding skills.


I started using two separate binaries due to the suid permissions. 
Bypassing it, then the use of two binaries has no sense.




Just my 2 cents.

Ciao,
Tito



Thanks a lot!

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Tito via Dng]

On 2/23/20 4:22 PM, Aitor wrote:

Hi Tito,

On 23/2/20 14:15, Tito via Dng wrote:

On 2/23/20 1:54 PM, Aitor wrote:

Hi,

On 23/2/20 13:17, Aitor wrote:

The binary won't be suid, but rather it'll receive the root password through 
the mentioned unix socket using internally (sudo | su) afterwards.


As simple as that:

system( "echo  | sudo -S ");

I tested my first draft and it works. Do it simple, isn't it?

Aitor.


Hi,

this looks dangerous, isn't the password readable unencrypted in e.g. /proc?
You should never send an unencrypted password over a shell or pipe.
Usually the password as soon as it is inputted is encrypted with the correct 
cipher
for the system and the buffer is zeroed, then the encrypted password is compared
to what is in /etc/shadow or /etc/password or handled in the way is deemed fit.
I suggest you to handle the passwords and the command and args to be run in 
your program
This way:
1) password stays unencrypted for the shortest time
2) you have control and you can vet the env, program and args that are run.

Hope this helps.

Ciao,
Tito


Thanks for the info, i know... Some people ripped me to shreds in the IRC 
channel some years ago, when i started working on the backend of simple-netaid.

This is only for testing the first part of the project. I have two ideas for 
the second part:

- To have a look at the code of ssh-askpass, suggested by Didier Krin, whose 
dialog frame is useful only for X11 and not for wayland.


Hi,

i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 
buttons (cancel, ok)
that way it will be the gtk backend to care about X11 or wayland (i suppose...):

"put into “password mode” using gtk_entry_set_visibility(). In this mode, 
entered text is displayed using
 a “invisible” character. By default, GTK+ picks the best invisible character 
that is available in the current
font, but it can be changed with gtk_entry_set_invisible_char(). Since 2.16, 
GTK+ displays a warning when Caps
Lock or input methods might interfere with entering text in a password entry.
The warning can be turned off with the “caps-lock-warning” property."

"Note that you probably want to set “input-purpose” to 
GTK_INPUT_PURPOSE_PASSWORD or GTK_INPUT_PURPOSE_PIN
 to inform input methods about the purpose of this entry, in addition to setting 
visibility to FALSE."

On hitting Enter or the OK button this returns a gchar string (typdef of char)
that could be fed to:

encrypted = pw_encrypt(plaintext, /*salt:*/ pw_pass, 1);
r = (strcmp(encrypted, pw_pass) == 0);
free(encrypted);
nuke_str(plaintext);
return r;

To see a good example take a look at: busybox/libbb/correct_password.c
This is widely used code and most pitfalls are already handled.




- To emulate keypress events in C code afterwards, according to the received 
password.


Looks as overcomplex to me but I'm not a guru


On the other hand, what do you think about the suid receiving the password 
through the socket, staying the file descriptor for the shortest time? I assume 
it encrypted.


Why use 2 binaries rather than one, more programs, more code, more 
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the su-only 
route.
After having taken a look at the sudo source code I think it is by far more 
complex than simple su, I personally
would avoid it at all, but this could be added later after having got right the 
simpler su-only case.
I will see if I'm able to cobble toghether a working example code just for the 
fun and to refresh
my C coding skills.

Just my 2 cents.

Ciao,
Tito



Thanks in advance,

Aitor.



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

On 23/2/20 16:22, Aitor wrote:
- To have a look at the code of ssh-askpass, suggested by Didier Krin, 
whose dialog frame is useful only for X11 and not for wayland.


Kryn :)



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi Tito,

On 23/2/20 14:15, Tito via Dng wrote:

On 2/23/20 1:54 PM, Aitor wrote:

Hi,

On 23/2/20 13:17, Aitor wrote:
The binary won't be suid, but rather it'll receive the root password 
through the mentioned unix socket using internally (sudo | su) 
afterwards.


As simple as that:

system( "echo  | sudo -S ");

I tested my first draft and it works. Do it simple, isn't it?

Aitor.


Hi,

this looks dangerous, isn't the password readable unencrypted in e.g. 
/proc?

You should never send an unencrypted password over a shell or pipe.
Usually the password as soon as it is inputted is encrypted with the 
correct cipher
for the system and the buffer is zeroed, then the encrypted password 
is compared
to what is in /etc/shadow or /etc/password or handled in the way is 
deemed fit.
I suggest you to handle the passwords and the command and args to be 
run in your program

This way:
1) password stays unencrypted for the shortest time
2) you have control and you can vet the env, program and args that are 
run.


Hope this helps.

Ciao,
Tito


Thanks for the info, i know... Some people ripped me to shreds in the 
IRC channel some years ago, when i started working on the backend of 
simple-netaid.


This is only for testing the first part of the project. I have two ideas 
for the second part:


- To have a look at the code of ssh-askpass, suggested by Didier Krin, 
whose dialog frame is useful only for X11 and not for wayland.


- To emulate keypress events in C code afterwards, according to the 
received password.


On the other hand, what do you think about the suid receiving the 
password through the socket, staying the file descriptor for the 
shortest time? I assume it encrypted.


Thanks in advance,

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Tito via Dng]

On 2/23/20 1:54 PM, Aitor wrote:

Hi,

On 23/2/20 13:17, Aitor wrote:

The binary won't be suid, but rather it'll receive the root password through 
the mentioned unix socket using internally (sudo | su) afterwards.


As simple as that:

system( "echo  | sudo -S ");

I tested my first draft and it works. Do it simple, isn't it?

Aitor.


Hi,

this looks dangerous, isn't the password readable unencrypted in e.g. /proc?
You should never send an unencrypted password over a shell or pipe.
Usually the password as soon as it is inputted is encrypted with the correct 
cipher
for the system and the buffer is zeroed, then the encrypted password is compared
to what is in /etc/shadow or /etc/password or handled in the way is deemed fit.
I suggest you to handle the passwords and the command and args to be run in 
your program
This way:
1) password stays unencrypted for the shortest time
2) you have control and you can vet the env, program and args that are run.

Hope this helps.

Ciao,
Tito


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi,

On 23/2/20 13:17, Aitor wrote:
The binary won't be suid, but rather it'll receive the root password 
through the mentioned unix socket using internally (sudo | su) afterwards.


As simple as that:

system( "echo  | sudo -S ");

I tested my first draft and it works. Do it simple, isn't it?

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi Tito,

On 23/2/20 13:19, Tito via Dng wrote:


Hi,

please don't restrict it, make it a universally usable tool.


Ok :)


Why using a socket maybe KISS?
For inspiration you can take a look at:
https://git.busybox.net/busybox/tree/loginutils/su.c
this is tested and widely used code.


Thanks for the info. I'll give it a try.


If you will use C as programming language and you any need help
drop a line.

Ciao,
Tito

BTW: it would be nice if this tool could be compiled
 with gtk2 or gtk3 this would allow more widespread
 adoption
The first code (for testing purposes) will be taken from the frontend of 
simple-netaid -which is developed in gtkmm/C++-,

but i can reverse it to Gtk/C over time.

Cheers,

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi,

On 23/2/20 13:23, Aitor wrote:


Hi Tom,

On 23/2/20 13:21, tom wrote:

What happens when a password isn't need, such as when a sudo policy is
set?


Are you referring to the sudo | su duality?

Aitor.

If so, the application might check the sudo permissions of the current 
user, reading the /etc/groups and /etc/sudoers files.



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi Tom,

On 23/2/20 13:21, tom wrote:

What happens when a password isn't need, such as when a sudo policy is
set?


Are you referring to the sudo | su duality?

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[tom]

On Sun, 23 Feb 2020 13:17:21 +0100
Aitor  wrote:

> Hi,
> 
> On 23/2/20 12:34, Aitor wrote:
> >
> > Hi Steve,
> >
> > On 21/2/20 21:57, Steve Litt wrote:
> >> Will it work even if I'm not using lxqt? Does it stand alone?
> >>   
> >> SteveT
> > I've just started developing a replacement for gksu in gtk2
> > following the same method used in simple-netaid,
> > that is: a suid binary receiving the password through an unix
> > socket, and the name of the application
> > to be run as an argument in the command line. Since i'm not that 
> > expert on security stuff, maybe i'll
> > restrict this tool only to a few graphical applications like
> > synaptic, bleachbit, gparted, thunar, pcmanfm...
> > Any suggestion for the name of this alternative? What about gkexec?
> >
> > Cheers,
> >
> > Aitor.
> >
> I rectify:
> 
> The binary won't be suid, but rather it'll receive the root password 
> through the mentioned unix socket using internally (sudo | su)
> afterwards.
> 
> Aitor.
> 
> 

What happens when a password isn't need, such as when a sudo policy is
set?

-- 
 ___ 
/ I smell like a wet reducing clinic on \
\ Columbus Day! /
 --- 
\
 \
   /\   /\   
  //\\_//\\ 
  \_ _//   /
   / * * \/^^^]
   \_\O/_/[   ]
/   \_[   /
\ \_  /  /
 [ [ /  \/ _/
_[ [ \  /_/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Tito via Dng]

On 2/23/20 12:34 PM, Aitor wrote:

Hi Steve,

On 21/2/20 21:57, Steve Litt wrote:

Will it work even if I'm not using lxqt? Does it stand alone?
  
SteveT

I've just started developing a replacement for gksu in gtk2 following the same 
method used in simple-netaid,
that is: a suid binary receiving the password through an unix socket, and the 
name of the application
to be run as an argument in the command line. Since i'm not that expert on 
security stuff, maybe i'll
restrict this tool only to a few graphical applications like synaptic, 
bleachbit, gparted, thunar, pcmanfm...
Any suggestion for the name of this alternative? What about gkexec?

Cheers,

Aitor.



Hi,

please don't restrict it, make it a universally usable tool.
Why using a socket maybe KISS?
For inspiration you can take a look at:
https://git.busybox.net/busybox/tree/loginutils/su.c
this is tested and widely used code.
If you will use C as programming language and you any need help
drop a line.

Ciao,
Tito

BTW: it would be nice if this tool could be compiled
 with gtk2 or gtk3 this would allow more widespread
 adoption.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi,

On 23/2/20 12:34, Aitor wrote:


Hi Steve,

On 21/2/20 21:57, Steve Litt wrote:

Will it work even if I'm not using lxqt? Does it stand alone?
  
SteveT
I've just started developing a replacement for gksu in gtk2 following 
the same method used in simple-netaid,
that is: a suid binary receiving the password through an unix socket, 
and the name of the application
to be run as an argument in the command line. Since i'm not that 
expert on security stuff, maybe i'll
restrict this tool only to a few graphical applications like synaptic, 
bleachbit, gparted, thunar, pcmanfm...

Any suggestion for the name of this alternative? What about gkexec?

Cheers,

Aitor.


I rectify:

The binary won't be suid, but rather it'll receive the root password 
through the mentioned unix socket using internally (sudo | su) afterwards.


Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi Steve,

On 21/2/20 21:57, Steve Litt wrote:

Will it work even if I'm not using lxqt? Does it stand alone?
  
SteveT
I've just started developing a replacement for gksu in gtk2 following 
the same method used in simple-netaid,
that is: a suid binary receiving the password through an unix socket, 
and the name of the application
to be run as an argument in the command line. Since i'm not that expert 
on security stuff, maybe i'll
restrict this tool only to a few graphical applications like synaptic, 
bleachbit, gparted, thunar, pcmanfm...

Any suggestion for the name of this alternative? What about gkexec?

Cheers,

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Tito via Dng]

On 2/21/20 10:56 PM, Florian Zieboll wrote:

On Fri, 21 Feb 2020 15:57:42 -0500
Steve Litt  wrote:


On Wed, 19 Feb 2020 01:23:47 -0800
tom  wrote:



Just found a drop-in replacement for gksudo. It's called lxqt-sudo.
https://github.com/lxqt/lxqt-sudo
It works pretty well.


Will it work even if I'm not using lxqt? Does it stand alone?



Not "alone", but quite fine for a GUI - and compared to gksu in a very
different league:

$ apt show lxqt-sudo | grep Depends # beowulf
Depends: libc6 (>= 2.14), liblxqt0 (>= 0.14.1~), libqt5core5a (>=
5.11.0~rc1), libqt5gui5 (>= 5.7.0), libqt5widgets5 (>= 5.0.2),
libstdc++6 (>= 6)

$ apt show gksu | grep Depends  # jessie
Depends: gconf-service, libatk1.0-0 (>= 1.12.4), libc6 (>= 2.4),
libcairo2 (>= 1.2.4), libfontconfig1 (>= 2.11), libfreetype6 (>=
2.2.1), libgconf-2-4 (>= 3.2.5), libgdk-pixbuf2.0-0 (>= 2.22.0),
libgksu2-0 (>= 2.0.8), libglib2.0-0 (>= 2.16.0), libgnome-keyring0 (>=
2.20.3), libgtk2.0-0 (>= 2.8.0), libpango-1.0-0 (>= 1.14.0),
libpangocairo-1.0-0 (>= 1.14.0), libpangoft2-1.0-0 (>= 1.14.0),
libstartup-notification0 (>= 0.2), sudo Conflicts: gnome-sudo (<=
0.3-1.1)


libre Grüße,
Florian


Hi,

I wonder if there is a way to make it intercept the polkit
dbus calls and eventually ask for a password?
Does somthing like: Replaces polkit exist in the
debian packaging voodoo?

Ciao,
Tito

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[tom]

On Wed, 19 Feb 2020 15:17:06 +0100
Tito via Dng  wrote:

> 
> 
> On 2/19/20 10:23 AM, tom wrote:
> > On Wed, 19 Feb 2020 00:35:26 -0800
> > tom  wrote:
> > 
> >> Deprecated gksudo? Well thats pretty dumb. Any particular reason
> >> Devuan doesn't just fish around for the old gksudo git repo and
> >> continue that instead of dealing with this policykit mess of
> >> complexity? You can allow users in your a group for example
> >> 'installers' to run synaptic by editing sudo's config like so:
> >>
> >> %installers ALL=(ALL) NOPASSWD: /usr/sbin/synaptic
> >>
> >> This Policykit stuff just seems like completely unneeded and
> >> unstable cruft like systemd or pulseaudio.
> >>
> >> Thank you for clarifying though. I'm going to see about getting it
> >> working on Gentoo since I have more experience with ebuilds than I
> >> do with Debian packaging currently.
> >>
> >>
> >>
> > 
> > Just found a drop-in replacement for gksudo. It's called lxqt-sudo.
> > https://github.com/lxqt/lxqt-sudo
> > It works pretty well.
> > 
> Hi,
> 
> this one is nice! but it solves only partially the problem
> of eventually removing policykit because most packages
> like for example synaptic or network-manager have a
> dependency on polkit or on libpolkit-gobject-1.
> Replacing pkexec could be easily done with a wrapper
> calling lxqt-sudo, but I cannot imagine what
> debian packaging voodoo would be needed to
> remove polkit, but for sure a lot of work.
> It is hard to weed out over-complexity once
> it slipped in.
> 
> Ciao,
> Tito
> 
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

If someone had some time they could patch synaptic to remove any pkexec
stuff. But a quick and dirty hack would be to simply modify the
XDG .desktop file and prepend lxsudo to the command line. Here is an
example I did for Zenmap: https://0x0.st/iZpe.png

[Desktop Entry]
Name=Zenmap (as root)
GenericName=GUI Port Scanner
TryExec=/usr/share/zenmap/su-to-zenmap.sh
Exec=lxsudo zenmap
Terminal=false
Icon=/usr/share/zenmap/pixmaps/zenmap.png
Type=Application
Categories=Network;System;Security;
Comment=A cross-platform GUI for the Nmap Security Scanner.
Keywords=network;scan;scanner;IP;security;
Path=
StartupNotify=false

It should also be noted the Zenmap already came with a decent script to
do this, but for my purposes this simple hack worked well enough. I
didn't like the jarring visual discontinuity of xterm. I also would
rather use sudo than su based tools since sudo can have finer grained
polices set

-- 
  
/ Maternity pay? Now every Tom, Dick and \
| Harry will get pregnant.   |
||
\ -- Malcolm Smith   /
  
\
 \
   /\   /\   
  //\\_//\\ 
  \_ _//   /
   / * * \/^^^]
   \_\O/_/[   ]
/   \_[   /
\ \_  /  /
 [ [ /  \/ _/
_[ [ \  /_/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Florian Zieboll]

On Fri, 21 Feb 2020 15:57:42 -0500
Steve Litt  wrote:

> On Wed, 19 Feb 2020 01:23:47 -0800
> tom  wrote:
> 
> > 
> > Just found a drop-in replacement for gksudo. It's called lxqt-sudo.
> > https://github.com/lxqt/lxqt-sudo
> > It works pretty well.
> 
> Will it work even if I'm not using lxqt? Does it stand alone?


Not "alone", but quite fine for a GUI - and compared to gksu in a very
different league:

$ apt show lxqt-sudo | grep Depends # beowulf
Depends: libc6 (>= 2.14), liblxqt0 (>= 0.14.1~), libqt5core5a (>=
5.11.0~rc1), libqt5gui5 (>= 5.7.0), libqt5widgets5 (>= 5.0.2),
libstdc++6 (>= 6)

$ apt show gksu | grep Depends  # jessie
Depends: gconf-service, libatk1.0-0 (>= 1.12.4), libc6 (>= 2.4),
libcairo2 (>= 1.2.4), libfontconfig1 (>= 2.11), libfreetype6 (>=
2.2.1), libgconf-2-4 (>= 3.2.5), libgdk-pixbuf2.0-0 (>= 2.22.0),
libgksu2-0 (>= 2.0.8), libglib2.0-0 (>= 2.16.0), libgnome-keyring0 (>=
2.20.3), libgtk2.0-0 (>= 2.8.0), libpango-1.0-0 (>= 1.14.0),
libpangocairo-1.0-0 (>= 1.14.0), libpangoft2-1.0-0 (>= 1.14.0),
libstartup-notification0 (>= 0.2), sudo Conflicts: gnome-sudo (<=
0.3-1.1)


libre Grüße,
Florian
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Steve Litt]

On Wed, 19 Feb 2020 01:23:47 -0800
tom  wrote:

> On Wed, 19 Feb 2020 00:35:26 -0800
> tom  wrote:
> 
> > Deprecated gksudo? Well thats pretty dumb. Any particular reason
> > Devuan doesn't just fish around for the old gksudo git repo and
> > continue that instead of dealing with this policykit mess of
> > complexity? You can allow users in your a group for example
> > 'installers' to run synaptic by editing sudo's config like so:
> > 
> > %installers ALL=(ALL) NOPASSWD: /usr/sbin/synaptic
> > 
> > This Policykit stuff just seems like completely unneeded and
> > unstable cruft like systemd or pulseaudio.
> > 
> > Thank you for clarifying though. I'm going to see about getting it
> > working on Gentoo since I have more experience with ebuilds than I
> > do with Debian packaging currently.
> > 
> > 
> >   
> 
> Just found a drop-in replacement for gksudo. It's called lxqt-sudo.
> https://github.com/lxqt/lxqt-sudo
> It works pretty well.

Will it work even if I'm not using lxqt? Does it stand alone?
 
SteveT

Steve Litt 
February 2020 featured book: Thriving in Tough Times
http://www.troubleshooters.com/thrive
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Tito via Dng]

On 2/19/20 10:23 AM, tom wrote:

On Wed, 19 Feb 2020 00:35:26 -0800
tom  wrote:


Deprecated gksudo? Well thats pretty dumb. Any particular reason
Devuan doesn't just fish around for the old gksudo git repo and
continue that instead of dealing with this policykit mess of
complexity? You can allow users in your a group for example
'installers' to run synaptic by editing sudo's config like so:

%installers ALL=(ALL) NOPASSWD: /usr/sbin/synaptic

This Policykit stuff just seems like completely unneeded and unstable
cruft like systemd or pulseaudio.

Thank you for clarifying though. I'm going to see about getting it
working on Gentoo since I have more experience with ebuilds than I do
with Debian packaging currently.





Just found a drop-in replacement for gksudo. It's called lxqt-sudo.
https://github.com/lxqt/lxqt-sudo
It works pretty well.


Hi,

this one is nice! but it solves only partially the problem
of eventually removing policykit because most packages
like for example synaptic or network-manager have a
dependency on polkit or on libpolkit-gobject-1.
Replacing pkexec could be easily done with a wrapper
calling lxqt-sudo, but I cannot imagine what
debian packaging voodoo would be needed to
remove polkit, but for sure a lot of work.
It is hard to weed out over-complexity once
it slipped in.

Ciao,
Tito

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[tom]

On Wed, 19 Feb 2020 00:35:26 -0800
tom  wrote:

> Deprecated gksudo? Well thats pretty dumb. Any particular reason
> Devuan doesn't just fish around for the old gksudo git repo and
> continue that instead of dealing with this policykit mess of
> complexity? You can allow users in your a group for example
> 'installers' to run synaptic by editing sudo's config like so:
> 
> %installers ALL=(ALL) NOPASSWD: /usr/sbin/synaptic
> 
> This Policykit stuff just seems like completely unneeded and unstable
> cruft like systemd or pulseaudio.
> 
> Thank you for clarifying though. I'm going to see about getting it
> working on Gentoo since I have more experience with ebuilds than I do
> with Debian packaging currently.
> 
> 
> 

Just found a drop-in replacement for gksudo. It's called lxqt-sudo.
https://github.com/lxqt/lxqt-sudo
It works pretty well.

-- 
 _ 
/ We're Knights of the Round Table We \
| dance whene'er we're able We do |
| routines and chorus scenes We're|
| knights of the Round Table With |
| footwork impeccable Our shows are   |
| formidable We dine well here in Camelot |
| But many times We eat ham and jam and   |
| Spam a lot. We're given rhymes  |
| |
| That are quite unsingable In war we're  |
| tough and able, We're opera mad in  |
| Camelot Quite indefatigable We sing |
| from the diaphragm a lot. Between our   |
| quests We sequin vests And impersonate  |
| Clark Gable It's a busy life in |
| Camelot. I have to push the pram a lot. |
| |
\ -- Monty Python /
 - 
\
 \
   /\   /\   
  //\\_//\\ 
  \_ _//   /
   / * * \/^^^]
   \_\O/_/[   ]
/   \_[   /
\ \_  /  /
 [ [ /  \/ _/
_[ [ \  /_/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng